Continuous authentication using an in-band or out-of-band side channel

US 5,311,596 A
Filed: 08/31/1992
Issued: 05/10/1994
Est. Priority Date: 08/31/1992
Status: Expired due to Term

First Claim

Patent Images

1. Apparatus for re-authenticating a user of a data connection, the data connection comprising a primary channel and a side channel, the apparatus comprising:

means for sending and receiving to a) send a request for identification to the user and receive an identifier from the user and b) send a plurality of challenges to and receive a plurality of responses from the user on the side channel, where each one of the plurality of responses corresponds to a respective one of the plurality of challenges; and

means for verifying each one of the plurality of responses as a function of each one of the respective plurality of challenges to provide an output representative of the verification of each one of the plurality of responses;

wherein the means for verifying encrypts each one of the plurality of challenges, where the encryption is a function of a data encryption key that is selected as a function of the identifier of the user and wherein the means for verifying compares each one of the plurality of responses with each respective one of the plurality of encrypted challenges to provide the output representative of verification, whereby if there is a mismatch between a respective one of the plurality of encrypted challenges and the one of the plurality of responses the data connection is interrupted.

View all claims

10 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A re-authentication procedure between the modems of a public switched telephone network (PSTN) data connection, which is between a computer facility and a user, provides a secure method for protecting the computer facility against an active wire tap, or spoofing, by an intruder. In particular, the user'"'"'s modem and the computer'"'"'s modem perform a re-authentication procedure throughout the duration of the data connection. This re-authentication procedure is transparently performed on a side channel of the data connection. This side channel can either be an in-band channel or an out-of-band channel. The re-authentication procedure comprises an exchange of encrypted information between the two modems. If one of the modems detects the presence of an active wire tap, that modem simply interrupts the data connection.

337 Citations

30 Claims

1. Apparatus for re-authenticating a user of a data connection, the data connection comprising a primary channel and a side channel, the apparatus comprising:
- means for sending and receiving to a) send a request for identification to the user and receive an identifier from the user and b) send a plurality of challenges to and receive a plurality of responses from the user on the side channel, where each one of the plurality of responses corresponds to a respective one of the plurality of challenges; and
  
  means for verifying each one of the plurality of responses as a function of each one of the respective plurality of challenges to provide an output representative of the verification of each one of the plurality of responses;
  
  wherein the means for verifying encrypts each one of the plurality of challenges, where the encryption is a function of a data encryption key that is selected as a function of the identifier of the user and wherein the means for verifying compares each one of the plurality of responses with each respective one of the plurality of encrypted challenges to provide the output representative of verification, whereby if there is a mismatch between a respective one of the plurality of encrypted challenges and the one of the plurality of responses the data connection is interrupted.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
- - 2. The apparatus of claim 1 wherein the means for verifying is a function of a symmetric data encryption algorithm.
  - 3. The apparatus of claim 1 wherein the means for verifying is a function of an asymmetric data encryption algorithm.
  - 4. The apparatus of claim 1 wherein each one of the respective challenges is a random number and the means for verifying and the means for sending are included within a data communications equipment apparatus.
  - 5. The apparatus of claim 1 wherein the side channel is an in-band channel.
  - 6. The apparatus of claim 5 wherein the in-band channel is time division multiplexed with the primary channel.
  - 7. The apparatus of claim 1 wherein the side channel is an out-of-band channel.
  - 8. The apparatus of claim 7 wherein the out-of-band channel is frequency division multiplexed with the primary channel.

9. Data communications equipment apparatus for re-authenticating a user of a data connection, the data communications equipment apparatus comprising:
- means for sending and receiving to a) send a request for identification to a second data communications equipment apparatus and receive an identifier from the second data communications equipment apparatus and b) send a plurality of challenges to and receive a plurality of responses from the second data communication equipment apparatus of the user, where each one of the plurality of responses corresponds to a respective one of the plurality of challenges; and
  
  means for verifying each one of the plurality of responses as a function of each one of the respective plurality of challenges to provide an output representative of the verification of each one of the plurality of responses;
  
  wherein the means for verifying encrypts each one of the plurality of challenges, where the encryption is a function of a data encryption key that is selected as a function of the identifier of the second communications equipment apparatus and wherein the means for verifying compares each one of the plurality of responses with each respective one of the plurality of encrypted challenges to provide the output representative of verification, whereby if there is a mismatch between a respective one of the plurality of encrypted challenges and the one of the plurality of responses the data connection is interrupted.
- View Dependent Claims (10, 11, 12)
- - 10. The apparatus of claim 9 wherein the means for verifying is a function of a symmetric data encryption algorithm.
  - 11. The apparatus of claim 9 wherein the means for verifying is a function of an asymmetric data encryption algorithm.
  - 12. The apparatus of claim 9 wherein each one of the respective challenges is a random number and the data communications equipment apparatus is a modem.

13. A method for re-authenticating a user of a data connection, the data connection comprising a primary channel and a side channel, the method comprising the steps of:
- sending a request for identification to the user and receiving an identifier from the user in response thereto;
  
  sending a plurality of challenges to and receiving a plurality of responses from the user on the side channel, where each one of the plurality of responses corresponds to a respective one of the plurality of challenges; and
  
  verifying each one of the plurality of responses as a function of each one of the respective plurality of challenges to provide an output representative of the verification of each one of the plurality of responses;
  
  wherein the step of verifying encrypts each one of the plurality of challenges, where the encryption is a function of a data encryption key that is selected as a function of the identifier of the user and wherein the step of verifying compares each one of the plurality of responses with each respective one of the plurality of encrypted challenges to provide the output representative of verification, whereby if there is a mismatch between a respective one of the plurality of encrypted challenges and the one of the plurality of responses the data connection is interrupted.
- View Dependent Claims (14, 15, 16, 17, 18, 19, 20)
- - 14. The method of claim 13 wherein the step of verifying is a function of a symmetric data encryption algorithm.
  - 15. The method of claim 13 wherein the step of verifying is a function of an asymmetric data encryption algorithm.
  - 16. The method of claim 13 wherein each one of the respective challenges is a random number.
  - 17. The method of claim 13 wherein the side channel is an in-band channel.
  - 18. The method of claim 17 wherein the in-band channel is time division multiplexed with the primary channel.
  - 19. The method of claim 13 wherein the side channel is an out-of-band channel.
  - 20. The method of claim 19 wherein the out-of-band channel is frequency division multiplexed with the primary channel.

21. A method for re-authenticating a user of a data connection for use in a first data communications equipment apparatus, the data connection comprising the first data communications equipment apparatus and a second data communication equipment apparatus of the user, the method comprising the steps of:
- a) sending a request for identification to the second data communications equipment apparatus and receiving an identifier from the second data communications equipment apparatus;
  
  b) sending a plurality of challenges to and receiving a plurality of responses from the second data communication equipment apparatus, where each one of the plurality of responses corresponds to a respective one of the plurality of challenges; and
  
  c) verifying each one of the plurality of responses as a function of each one of the respective plurality of challenges to provide an output representative of the verification of each one of the plurality of responses wherein the verifying step includes;
  
  encrypting each one of the plurality of challenges, where the encryption is a function of a data encryption key that is selected as a function of the identifier of the second communications equipment apparatus; and
  
  comparing each one of the plurality of responses with each respective one of the plurality of encrypted challenges to provide the output representative of verification, whereby if there is a mismatch between a respective one of the plurality of encrypted challenges and the one of the plurality of responses the data connection is interrupted.
- View Dependent Claims (22, 23, 24)
- - 22. The method of claim 21 wherein the verifying step b) is a function of a symmetric data encryption algorithm.
  - 23. The method of claim 21 wherein the verifying step b) is a function of an asymmetric data encryption algorithm.
  - 24. The method of claim 21 wherein each one of the respective challenges is a random number and the data communications equipment apparatus is a modem.

25. A method for re-authenticating a user of a data connection, the data connection comprising a first data communications equipment apparatus and a second data communications equipment apparatus, the method comprising the steps of:
- a) storing in the first data communications equipment apparatus a key list comprising a plurality of identification numbers, each identification number associated with a data encryption key;
  
  b) receiving in the first data communications equipment apparatus an identification number from the second data communications equipment apparatus;
  
  c) retrieving from the key list the data encryption key associated with the identification number received from the second data communications equipment apparatus;
  
  d) sending a challenge from the first data communications equipment apparatus to the second data communications equipment apparatus, the challenge comprising a number;
  
  e) receiving in the first data communications equipment apparatus a response from the second data communications equipment apparatus, the response comprising a number; and
  
  f) processing the response from the second data communications equipment apparatus by encrypting the challenge as a function of the retrieved data encryption key to provide an encrypted challenge; and
  
  g) comparing the response with the encrypted challenge and repeating steps d) through g) if the response is equal to the encrypted challenge and interrupting the data connection if the response is not equal to the encrypted challenge.
- View Dependent Claims (26, 27, 28, 29, 30)
- - 26. The method of claim 25 wherein the first data communications equipment apparatus is the originator of the data connection.
  - 27. The method of claim 25 wherein the second data communications equipment apparatus is the originator of the data connection.
  - 28. The method of claim 25 wherein the challenge of step d) and the response of step e) are carried by a side channel over the data connection.
  - 29. The method of claim 25 wherein the side channel is an in-band channel.
  - 30. The method claim 25 wherein the side channel is an out-of-band channel.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Paradyne Corporation (Dasan Networks Incorporated)
Original Assignee
AT&T, Inc.
Inventors
Scott, Robert E., Smith, Richard K.
Primary Examiner(s)
Swann, Tod R.

Application Number

US07/937,009
Time in Patent Office

617 Days
Field of Search

380/23, 380/24, 380/25, 380/33, 380/34, 379/7, 379/62, 379/63, 379/45, 379/351
US Class Current

380/33
CPC Class Codes

G06F 21/31   User authentication

G06F 21/313   using a call-back technique...

G06F 2221/2103   Challenge-response

H04L 63/08   for authentication of entit...

H04L 63/18   using different networks or...

H04L 9/3271   using challenge-response

Continuous authentication using an in-band or out-of-band side channel

First Claim

10 Assignments

0 Petitions

Accused Products

Abstract

337 Citations

30 Claims

Specification

Solutions

Use Cases

Quick Links

Continuous authentication using an in-band or out-of-band side channel

First Claim

10 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

337 Citations

30 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links